Deploying a DNS Server to Amazon AWS with bosh-init

This post describes how to deploy a BIND 9 DNS server to Amazon AWS using bosh-init, a command-line BOSH tool that enables the deployment of VMs without requiring a Director VM. [1]

This blog post is the second of a series; it picks up where the previous one, How to Create a BOSH Release of a DNS Server, left off. Previously we described how to create a BOSH release (i.e. a BOSH software package) of the BIND 9 DNS server and deploy the server to VirtualBox via BOSH Lite.

3. Deploy

Let’s deploy (if you see Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension while installing, you may need to run xcode-select --install and accept the license in order to install the necessary header files):

4. Test

We test our newly-deployed DNS server to ensure it refuses to resolve queries for which it is not authoritative (e.g. google.com), but will answer queries for which it is authoritative (nono.com). We assume that no change has been made to the manifest’s jobs/properties/config_file section; i.e. we assume that the server that has been deployed is a slave server for the zone nono.com..

BOSH does not install ‘packages’ (e.g. .deb, .rpm), instead, one must build a custom BOSH release or take advantage of community-built releases.

Appendix A. The Importance of Disallowing Recursion

We disable recursive queries on our DNS servers that have been deployed to the Internet because it prevents our server from being used in a DNS Amplification Attack. DNS Amplication Attacks are doubly-damning in the sense that we pay for the attack’s bandwidth charges (we pay in the literal sense: Amazon charges us for the outbound traffic).

The good news is since version 9.4 BIND has a non-recursive default (our BOSH release’s version is 9.10). If you truly need to allow recursion, add the following stanza to the deployment’s manifest’s jobs→properties→config_file stanza; it will configure the BIND server to be an Open Resolver (A DNS server that allows recursive queries/recursion is known as an Open Resolver). Don’t do this unless your server is behind a firewall:

options {
recursion yes;
// DO NOT put the following line on an Internet-accessible DNS server
allow-recursion { any; };

An easy way to test if your server is an Open Resolver is to run the following dig command (substitute 52.6.149.97 with the address of your deployed DNS server):

dig freeinfosys.com ANY @52.6.149.97
...
;; MSG SIZE rcvd: 33

The “MSG SIZE rcvd: 33” means that recursion was denied (i.e. our server is properly configured). If instead you see “MSG SIZE rcvd: 3185”, then you need to edit your deployment’s manifest and re-deploy.

Probed within 3 Hours, Exploited within 3 Days

Our server was probed within 3 hours of deployment (logs from /var/log/daemon.log):

Acknowledgements

Dmitriy Kalinin‘s assistance was invaluable when creating the sample manifest, proofreading the draft, and suggesting simplifications.

Footnotes

1 We use bosh-init rather than a Director VM primarily for financial reasons: with bosh-init, we need but spin up the DNS server VM (t2.micro instance, $114/year [2] ). Using a Director VM requires an m3.medium instance ($614/year), ballooning our costs 538%.

2Amazon EC2 Prices are current as of the writing of this document. A t2.micro instance costs $0.013 per hour. Assuming 365.2425 24-hour days/year, this works out to $113.96/year. An m3.medium instances costs $0.070 per hour, $613.60/year. Our calculations do not take into account Spot Instances or Reserved Instances.

Admittedly there are mechanisms to reduce the cost of the Director VM—for example, we could suspend the Director VM instance after it has deployed the DNS server.